Change service directory permission; change python3 to python38

User inside the container images for logscraper and loggearman is
setting lowest value that is set in the system which is 1000.
This uid and gid is provided for other user and the services should
be running with different uids/gids.
In that case, the logscraper service gid/uid is 10210 and
loggearman gid/uid is set to 10211.

Change-Id: Ida0e2ceaf341fb7cbea18f3eaf161daa836e8ea7

Dockerfile

@@ -17,13 +17,13 @@ FROM quay.io/centos/centos:stream8
 
 ENV PATH=/workspace/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
-RUN groupadd logscraper && \
-    useradd --home-dir /home/logscraper -g logscraper logscraper
+RUN groupadd logscraper --gid 1000 && \
+    useradd --home-dir /home/logscraper --gid 1000 --uid 1000 logscraper
 
 RUN dnf update -y && \
-    dnf install -y python3 python3-setuptools \
-                   python3-devel python3-wheel \
-                   python3-pip git
+    dnf install -y python38 python38-setuptools \
+                   python38-devel python38-wheel \
+                   python38-pip git
 
 COPY . /tmp/src
 RUN cd /tmp/src && \

ansible/playbooks/check-services.yml

@@ -22,5 +22,11 @@
           - https://zuul.opendev.org/api/tenant/openstack
         insecure: false
         job_names: []
+  pre_tasks:
+    - name: Update all packages
+      become: true
+      package:
+        name: "*"
+        state: latest
   roles:
     - check-services

ansible/roles/loggearman/defaults/main.yml

@@ -1,6 +1,8 @@
 ---
 loggearman_user: loggearman
 loggearman_group: loggearman
+loggearman_gid: 10211
+loggearman_uid: 10211
 
 loggearman_dir: /etc/loggearman
 loggearman_log_dir: /var/log/loggearman

ansible/roles/loggearman/tasks/main.yml

@@ -2,6 +2,7 @@
 - name: Create decidated group
   group:
     name: "{{ loggearman_group }}"
+    gid: "{{ loggearman_gid }}"
     state: present
 
 - name: Create dedicated user
@@ -10,6 +11,7 @@
     state: present
     comment: "Dedicated user for loggearman"
     group: "{{ loggearman_group }}"
+    uid: "{{ loggearman_uid }}"
     shell: "/sbin/nologin"
     create_home: false
 
@@ -19,6 +21,7 @@
     state: directory
     owner: "{{ loggearman_user }}"
     group: "{{ loggearman_group }}"
+    mode: "0755"
   loop:
     - "{{ loggearman_dir }}"
     - "{{ loggearman_log_dir }}"
@@ -29,7 +32,7 @@
     state: touch
     owner: "{{ loggearman_user }}"
     group: "{{ loggearman_group }}"
-    mode: "0666"
+    mode: "0644"
   loop:
     - client
     - worker
@@ -43,6 +46,9 @@
   template:
     src: "{{ item }}.yml.j2"
     dest: "{{ loggearman_dir }}/{{ item }}.yml"
+    owner: "{{ loggearman_user }}"
+    group: "{{ loggearman_group }}"
+    mode: "0644"
   loop:
     - client
     - worker

ansible/roles/loggearman/templates/loggearman.sh.j2

@@ -4,8 +4,11 @@
 /usr/bin/podman run \
     --network host \
     --rm \
+    --user 1000:1000 \
+    --uidmap 0:{{ loggearman_uid + 1 }}:999 \
+    --uidmap 1000:{{ loggearman_uid }}:1 \
     --name loggearman-{{ item }} \
-    --volume {{ loggearman_dir }}:{{ loggearman_dir }}:Z \
+    --volume {{ loggearman_dir }}:{{ loggearman_dir }}:z \
     --volume {{ loggearman_log_dir }}:{{ loggearman_log_dir }}:z \
     {{ container_images['loggearman'] }} \
     log-gearman-{{ item }} \

ansible/roles/logscraper/defaults/main.yml

@@ -1,6 +1,8 @@
 ---
 logscraper_user: logscraper
 logscraper_group: logscraper
+logscraper_gid: 10210
+logscraper_uid: 10210
 logscraper_dir: /etc/logscraper
 
 container_images:

ansible/roles/logscraper/tasks/main.yml

@@ -2,6 +2,7 @@
 - name: Create dedicated group
   group:
     name: "{{ logscraper_group }}"
+    gid: "{{ logscraper_gid }}"
     state: present
 
 - name: Create dedicated user
@@ -10,6 +11,7 @@
     state: present
     comment: "Dedicated user for logscraper"
     group: "{{ logscraper_group }}"
+    uid: "{{ logscraper_uid }}"
     shell: "/sbin/nologin"
     create_home: false
 
@@ -19,6 +21,7 @@
     state: directory
     owner: "{{ logscraper_user }}"
     group: "{{ logscraper_group }}"
+    mode: "0755"
 
 - name: Ensure container software is installed
   package:

ansible/roles/logscraper/tasks/service.yml

@@ -13,6 +13,14 @@
     owner: root
     group: root
 
+- name: Set empty logscraper checkpoint file
+  file:
+    path: "{{ item.checkpoint_file | default(logscraper_dir + '/checkpoint') }}"
+    state: touch
+    owner: "{{ logscraper_user }}"
+    group: "{{ logscraper_group }}"
+    mode: "0644"
+
 - name: Enable and restart service
   service:
     name: logscraper-{{ item.tenant }}

ansible/roles/logscraper/templates/logscraper.sh.j2

@@ -3,6 +3,9 @@
 /usr/bin/podman run \
     --network host \
     --rm \
+    --user 1000:1000 \
+    --uidmap 0:{{ logscraper_uid + 1 }}:999 \
+    --uidmap 1000:{{ logscraper_uid }}:1 \
     --name logscraper-{{ item.tenant }} \
     --volume {{ logscraper_dir }}:{{ logscraper_dir }}:z \
     {{ container_images['logscraper'] }} \

loggearman/Dockerfile

@@ -18,13 +18,13 @@ FROM quay.io/centos/centos:stream8
 ENV OSLO_PACKAGE_VERSION='0.0.1'
 ENV PATH=~/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
-RUN groupadd loggearman && \
-    useradd --home-dir /home/loggearman -g loggearman loggearman
+RUN groupadd --gid 1000 loggearman && \
+    useradd --home-dir /home/loggearman --gid 1000 --uid 1000 loggearman
 
 RUN dnf update -y && \
-    dnf install -y python3 python3-setuptools \
-                   python3-devel python3-wheel \
-                   python3-pip git
+    dnf install -y python38 python38-setuptools \
+                   python38-devel python38-wheel \
+                   python38-pip git
 
 COPY . /tmp/src
 RUN cd /tmp/src && \